Hello Hayden
i am working on a poc implementing trusted device fingerprinting with cas
6.1.2 (json storage for now) and i had the same problem, the user was never
prompted the invite to register the device. I did a little debugging on cas
and i found that if you redefine the
class org.apereo.cas.config.CasSimpleMultifactorAuthenticationConfiguration
in your war overlay and remove the conditions of activation of the
subclass CasSimpleMultifactorTrustConfiguration :
l133-l134 :
@ConditionalOnBean(name = "mfaTrustEngine")
@ConditionalOnProperty(prefix = "cas.authn.mfa.simple", name = "
trustedDeviceEnabled", havingValue = "true", matchIfMissing = true)
then it works, though i have no idea yet of the possible side effects of
this modification.
For now, cas registers the devices but the MFA always kicks in when a user
try to connect from the same device, have anyone had any succes with this
feature ?
On Friday, December 13, 2019 at 4:54:21 PM UTC+1, Hayden Sartoris wrote:
>
> The brief story: CAS never kicks off the multifactor trusted device
> registration webflow. I've tried this with just about every version of CAS
> 6, most recently with 6.1.2 and a large number of 6.2.0 snapshots. I've
> tested this with Google Authenticator, using both Redis and JSON for token
> storage, as well as CAS Simple MFA. I'm posting the very stripped-down
> configuration I've tried against a bare overlay template, but this has also
> been tested in a much more fully fledged environment with an LDAP backend,
> Redis ticket storage, etc. etc..
>
> What stands out to me is that this was working before, at the beginning of
> the year, I believe. That leads me to suspect that something changed such
> that I am effectively misconfiguring the trusted MFA settings. Otherwise, I
> don't see how it could be so uniformly broken across multiple versions. On
> the other hand, I've attempted this with MFA REST storage, and the code for
> that is actually broken (in the sense that the cleaner process errors out
> without even contacting the REST URL), so perhaps there's just something
> totally wrong with MFA trusted devices in general.
>
> My testbed uses the vanilla Apereo CAS overlay template with the below
> modifications, including removing cas.properties in favor of cas.yml. I
> have a single RegexRegisteredService with no configuration other than the
> name, id, and URL. I am able to login as casuser, which triggers MFA
> registration as expected, proceeds to prompt for the token, and then...
> authenticates me directly to the service. The entire time, the only
> occurrence of the strings 'trust' or 'Trust' in the logs are 1. CAS dumping
> the configured property names at startup, 2. warnings about the encryption
> keys being set (obviously doesn't occur with a production configuration),
> and 3. the MFA trusted device storage cleaner firing and not finding
> anything.
>
> I'm really at the end of my rope here, and hoping someone will tell me I'm
> an idiot and I've missed something obvious.
>
> Thanks for any input,
> Hayden Sartoris
>
> *Additional modules in build.gradle:*
> dependencies {
> // Other CAS dependencies/modules may be listed here...
> compile
> "org.apereo.cas:cas-server-support-json-service-registry:${casServerVersion}"
> compile "org.apereo.cas:cas-server-support-gauth:${casServerVersion}"
> compile
> "org.apereo.cas:cas-server-support-gauth-redis:${casServerVersion}"
> compile
> "org.apereo.cas:cas-server-support-trusted-mfa:${casServerVersion}"
> }
>
> *CAS configuration:*
> redis:
> host: redis
> port: 6379
> server:
> port: 8443
> ssl:
> enabled: true
> keyStore: <...>
>
> cas:
> serviceRegistry.json.location: "file:/etc/cas/services"
> server:
> name: https://cas02.bard.edu:8443
> prefix: ${cas.server.name}/cas
> authn:
> mfa:
> globalProviderId: mfa-gauth
> gauth:
> issuer: Bard
> label: cas02.bard.edu
> codeDigits: 6
> timeStepSize: 30
> trustedDeviceEnabled: true
> redis:
> host: ${redis.host}
> port: ${redis.port}
> trusted:
> deviceRegistrationEnabled: true
> json.location: "file:/etc/cas/config/trusted-dev.json"
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/77f731ec-4b03-4a8e-8db2-160e64bd76f2%40apereo.org.
